Vulnerability Details : CVE-2020-35112
If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.
Products affected by CVE-2020-35112
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-35112
0.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-35112
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2020-35112
-
https://www.mozilla.org/security/advisories/mfsa2020-56/
Security Vulnerabilities fixed in Thunderbird 78.6 — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1661365
Access DeniedPermissions Required
-
https://www.mozilla.org/security/advisories/mfsa2020-55/
Security Vulnerabilities fixed in Firefox ESR 78.6 — MozillaVendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2020-54/
Security Vulnerabilities fixed in Firefox 84 — MozillaVendor Advisory
Jump to